[openstack-dev] [novaclient]should administrator can see all servers of all tenants by default?

Christopher Yeoh cbkyeoh at gmail.com
Mon Oct 21 13:11:51 UTC 2013 

On Mon, Oct 21, 2013 at 1:32 AM, Lingxian Kong <anlin.kong at gmail.com> wrote:

> two questions here:
> 1. whther '--all-tenants' should be with '--tenant' or not.
> 2. can admin see other tenant's server using its name instead of id?
>
>
I think a name search as well as id makes sense, though that change lies
entirely within
python-novaclient and could potentially take a long time and could be
avoided by passing 'all_tenants 0'.

btw I have submitted a series of patches (IMO some cleanup is required as
well) which addresses
the tenant_id/all_tenants issue:

https://review.openstack.org/#/c/52007/
https://review.openstack.org/#/c/52864/
https://review.openstack.org/#/c/52919/

Chris.



> 2013/10/16 Robert Collins <robertc at robertcollins.net>
>
>> I think that would be fine: --tenant FOO implying 'show me results
>> from FOO if I have access to that' makes total sense to me.
>>
>> On 16 October 2013 17:52, Christopher Yeoh <cbkyeoh at gmail.com> wrote:
>> >
>> > --all-tenants would only be turned on if --tenant was specified, not a
>> > general default. Do you see that causing any problems for non trivial
>> > clouds?
>> >
>> > Chris
>> >
>> >
>> > On Tue, Oct 15, 2013 at 7:26 PM, Robert Collins <
>> robertc at robertcollins.net>
>> > wrote:
>> >>
>> >> Please don't invert the bug though: if --all-tenants becomes the
>> >> default nova server behaviour in v3, please ensure there is a
>> >> --no-all-tenants to unbreak it for non-trivial clouds.
>> >>
>> >> Thanks!
>> >> -Rob
>> >>
>> >> On 15 October 2013 20:54, Lingxian Kong <anlin.kong at gmail.com> wrote:
>> >> > then, what's the conclusion that we can begin to start?
>> >> >
>> >> >
>> >> > 2013/10/15 Christopher Yeoh <cbkyeoh at gmail.com>
>> >> >>
>> >> >> On Tue, Oct 15, 2013 at 10:25 AM, Caitlin Bestler
>> >> >> <caitlin.bestler at nexenta.com> wrote:
>> >> >>>
>> >> >>> On 10/14/2013 8:37 AM, Ben Nemec wrote:
>> >> >>>>
>> >> >>>> I agree that this needs to be fixed.  It's very counterintuitive,
>> if
>> >> >>>> nothing else (which is also my argument against requiring
>> all-tenants
>> >> >>>> for admin users in the first place).  The only question for me is
>> >> >>>> whether to fix it in novaclient or in Nova itself.
>> >> >>>
>> >> >>>
>> >> >>> If it is fixed in novaclient, then any unscrupulous tenant would be
>> >> >>> able
>> >> >>> to unfix it in novaclient themselves and gain the same information
>> >> >>> about
>> >> >>> other tenants that the bug is allowing.
>> >> >>>
>> >> >>> So if the intent is to protect leakage of information across tenant
>> >> >>> lines
>> >> >>> then the correct solution is a real lock (i.e. in Nova) rather
>> >> >>> than just a screen door "lock".
>> >> >>>
>> >> >>
>> >> >> The novaclient fix for V2 would be simply to automatically pass
>> >> >> all-tenants where needed. It would not give a non admin user any
>> extra
>> >> >> privileges even if they modified novaclient.
>> >> >>
>> >> >> Chris
>> >> >>
>> >> >> _______________________________________________
>> >> >> OpenStack-dev mailing list
>> >> >> OpenStack-dev at lists.openstack.org
>> >> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > --------------------------------------------
>> >> > Lingxian Kong
>> >> > Huawei Technologies Co.,LTD.
>> >> > IT Product Line CloudOS PDU
>> >> > China, Xi'an
>> >> > Mobile: +86-18602962792
>> >> > Email: konglingxian at huawei.com; anlin.kong at gmail.com
>> >> >
>> >> > _______________________________________________
>> >> > OpenStack-dev mailing list
>> >> > OpenStack-dev at lists.openstack.org
>> >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Robert Collins <rbtcollins at hp.com>
>> >> Distinguished Technologist
>> >> HP Converged Cloud
>> >>
>> >> _______________________________________________
>> >> OpenStack-dev mailing list
>> >> OpenStack-dev at lists.openstack.org
>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>> >
>> >
>> > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>>
>>
>> --
>> Robert Collins <rbtcollins at hp.com>
>> Distinguished Technologist
>> HP Converged Cloud
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
>
> --
> *---------------------------------------*
> *Lingxian Kong*
> Huawei Technologies Co.,LTD.
> IT Product Line CloudOS PDU
> China, Xi'an
> Mobile: +86-18602962792
> Email: konglingxian at huawei.com; anlin.kong at gmail.com
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131021/dea35555/attachment.html>

More information about the OpenStack-dev mailing list